上海移动之 DNS 污染

2019-05-09 12:40:21 +08:00
 jackmod

之前一直用运营商的 DNS:211.136.150.66

发现不少冷门网站都会出现 SSL 错误,NET::ERR_CERT_COMMON_NAME_INVALID,用来劫持的域名为*.cdn-now.com

用 dig 查询其中一个网站的结果:

$ dig tinypng.com

; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40064
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;tinypng.com.			IN	A

;; ANSWER SECTION:
tinypng.com.		784	IN	A	58.216.111.27

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: 四 5 月 09 12:09:11 CST 2019
;; MSG SIZE  rcvd: 56

查询其他网站也同样指向58.216.111.27

域名指向这个 IP 的结果是这样的:

$ curl --insecure -v https://tinypng.com
...
...
* Expire in 1 ms for 1 (transfer 0x5565723305c0)
* Expire in 2 ms for 1 (transfer 0x5565723305c0)
*   Trying 58.216.111.27...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5565723305c0)
* Connected to tinypng.com (58.216.111.27) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.cdn-now.com
*  start date: Apr 16 03:50:48 2019 GMT
*  expire date: Jul 15 03:50:48 2019 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: tinypng.com
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 09 May 2019 04:06:18 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 787
< Last-Modified: Mon, 29 Apr 2019 03:34:06 GMT
< Connection: keep-alive
< ETag: "5cc670ae-313"
< Accept-Ranges: bytes
< 
<!DOCTYPE html>
<html><head><title></title>
<link rel="dns-prefetch" href="//s96.cnzz.com" />
<link rel="dns-prefetch" href="//z2.cnzz.com" />
<link rel="dns-prefetch" href="//jserr.cnzz.com" />
<link rel="dns-prefetch" href="//c.cnzz.com" />
<link rel="dns-prefetch" href="//ei.cnzz.com" />
<link rel="dns-prefetch" href="//ca.cnzz.com" />
<link rel="dns-prefetch" href="//f1.cdn-now.com" />
</head>
<body>
<script>
function rndStr(len) {
len = len || 6;
var $chars = '0123456789abcdefghijklmnopqrstuvwxyz';
var maxPos = $chars.length;
var pwd = '';
for (i = 0; i < len; i++) {
pwd += $chars.charAt(Math.floor(Math.random() * maxPos));
}
return pwd;
}
var rnd1 = rndStr(6);
var rnd2 = rndStr(12);
window.location.href="https://f1.cdn-now.com/?"+rnd1+"="+rnd2;
</script>
</body>
</html>
* Connection #0 to host tinypng.com left intact

最后转移的地方f1.cdn-now.com就是​博​彩​网站。

而 CNNIC 提供的 DNS 一切正常:

$ dig tinypng.com @1.2.4.8

; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com @1.2.4.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52271
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tinypng.com.			IN	A

;; ANSWER SECTION:
tinypng.com.		387	IN	A	35.190.0.251

;; AUTHORITY SECTION:
tinypng.com.		8633	IN	NS	ns-cloud-b3.googledomains.com.
tinypng.com.		8633	IN	NS	ns-cloud-b1.googledomains.com.
tinypng.com.		8633	IN	NS	ns-cloud-b4.googledomains.com.
tinypng.com.		8633	IN	NS	ns-cloud-b2.googledomains.com.

;; ADDITIONAL SECTION:
ns-cloud-b1.googledomains.com. 300721 IN A	216.239.32.107
ns-cloud-b2.googledomains.com. 130538 IN A	216.239.34.107
ns-cloud-b3.googledomains.com. 339744 IN A	216.239.36.107
ns-cloud-b4.googledomains.com. 329586 IN A	216.239.38.107
ns-cloud-b1.googledomains.com. 325725 IN AAAA	2001:4860:4802:32::6b
ns-cloud-b2.googledomains.com. 325368 IN AAAA	2001:4860:4802:34::6b
ns-cloud-b3.googledomains.com. 327608 IN AAAA	2001:4860:4802:36::6b
ns-cloud-b4.googledomains.com. 341665 IN AAAA	2001:4860:4802:38::6b

;; Query time: 4 msec
;; SERVER: 1.2.4.8#53(1.2.4.8)
;; WHEN: 四 5 月 09 12:09:24 CST 2019
;; MSG SIZE  rcvd: 350
3722 次点击
所在节点    宽带症候群
2 条回复
happyeveryday
2019-05-09 15:52:06 +08:00
上海移动自有 dns 污染去菠菜网站?想想就不会是官方行为...
geekvcn
2019-05-18 12:29:30 +08:00
全国移动都是墙中墙,加上劫持 53 端口 UDP

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/562485

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX